Credit Card Rivals to Unite In Data Protection Effort

By ERIC DASH

Published: January 12, 2006

Two longtime rivals in the credit card business are working together to create a private group that would set new industrywide security standards as early as the middle of this year, a MasterCard executive said yesterday.

Security officials from Visa USA and MasterCard International began quietly meeting early last year to discuss the best way to improve data security. But the high-profile disclosure of a security breach at CardSystems Solutions, a tiny payment processor that left 40 million cardholder accounts exposed to fraud, has given the effort a new push.

Visa and MasterCard executives have separately proposed the idea of an independent standard-setting body that can certify that member banks and merchants have met certain guidelines and standards.

''We have had preliminary conversations, and it would be a good idea to have these P.C.I. standards in an open standards body,'' said Chris Thom, Mastercard's chief risk officer, referring to the payment card industry rules. ''There is no reason that this shouldn't be done.''

At a Visa-sponsored security conference in October, the company's chief executive, John Philip Coghlan, publicly floated a similar idea.

''We're exploring a plan to encourage all stakeholders in the payment chain to help create an objective, stand-alone entity to manage data security issues for the entire industry,'' he said. At the time, MasterCard acknowledged it had discussions with Visa about that type of approach but maintained that it believed that the current standards were effective.

Still, the extent of the proposed agency's enforcement power, if any, is unclear, as is the potential makeup of the group's representatives.

And it is also too early to determine how the new security standards would differ from the payment card industry's existing ones, which outline a common set of rules with slight differences among the card companies.

Although Discover Financial and American Express do not appear to be participating in the discussions, Visa and MasterCard, whose cardholders are responsible for roughly 80 percent of all credit and debit transactions, may have the power to bring a new standard-setting body into being.

In the wake of the CardSystems data breach, Visa and MasterCard executives acknowledged that existing security standards were not always being followed. Even today, Visa said, only 15 percent of the 215 biggest retailers that accept its cards can certify they fully meet the payment card industry's current standards.

Data security specialists say fewer than 1 percent of America's roughly five million merchants have even submitted a security plan. In response, each of the major card companies has introduced a raft of new proposals, often with more public relations bark than actual bite.

Yesterday, MasterCard announced that its issuing banks would offer a reduction of up to 16 percent in transaction fees for online merchants that require customers to enter a unique PIN-code. (Visa introduced a similar program in 2003.) That would bring the fees charged for electronic transactions in line with the rates charged on sales in stores.

Yet merchants bear the cost of upgrading their computer systems to participate in the PIN-code program. So far, only a tiny fraction of Visa and MasterCard online retailers have signed up.

MasterCard also said it would encourage smaller merchants to review their security practices by endorsing a free one-time computer network vulnerability scan from five big data security firms. (Visa offers no such plan.) While it is the first time a card company has sponsored such an initiative, those companies have offered free scans for years to attract new auditing business.

All the card companies, meanwhile, have announced efforts to improve communication with their merchants. In the past, many companies complained that they did not understand or were never told of the payment industry's security rules.

Visa has been a sponsor of seminars with the United States Chamber of Commerce for small merchants and has tried to reach consumers with television and magazine ads.

MasterCard said yesterday that it would focus its efforts on its merchants, promoting tighter data security through online seminars and in trade magazines.

Mr. Thom of MasterCard said that Visa and MasterCard executives have been working to revise the current rules to ''build more flexibility into the standards without undermining'' them.

He said that the proposed changes could be introduced sometime in the first quarter, and the new open standards body might be unveiled sometime in the quarter after that.

Rosetta Jones, a Visa spokeswoman, however, said that the card company was still exploring the concept. Judy Tenzer, an American Express spokeswoman, said that they were not working on any independent standards apart from the existing ones.

''The good news, if there is any good news off the back of CardSystems, is that it did generate an enormous awareness,'' Mr. Thom said.

Of course, there is plenty of work ahead. Yesterday, for example, an apparent data base break-in at the Atlantis Resorts in the Bahamas left the personal information of more than 50,000 guests, including credit card and bank statement information, exposed to fraud.